New progress in blockchain security: in-depth exploration of smart contract SAST technology

Original source: Blockchain security solutions provider MetaTrust

In today's rapidly developing digital age, smart contracts, as a core component of blockchain technology, are gradually becoming the cornerstone supporting decentralized applications (DApps) and financial technology (DeFi). However, the security issues of smart contracts have always been a key factor restricting their widespread application. In view of this, automated, AI-based smart contract security assessment tools, such as MetaScan products under blockchain security solutions provider MetaTrust, are gradually becoming the backbone of ensuring the security of smart contracts.

A few days ago, Metatrust and Nanyang Technological University's collaborative research "Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We?" was published at FSE2024 and won the ACM SIGSOFT Distinguished Paper Award, indicating that the contribution of this paper in the field of software engineering has been highly recognized by peers. This award is intended to recognize outstanding papers published at top conferences in the field of software engineering, usually those that stand out in terms of innovation, technical depth, practicality, and contribution to the field of software engineering. This award is usually given to no more than 10% of the best papers at top conferences, so the winning papers represent the highest level of research results in the field.

In the paper, MetaTrust and researchers from Nanyang Technological University, Singapore conducted an in-depth evaluation and analysis of current SAST tools, pointing out the effectiveness and limitations of these tools in detecting smart contract vulnerabilities. The authors conducted an in-depth study of the security issues of smart contracts and proposed an updated, fine-grained vulnerability classification system, including 45 unique vulnerability types. Based on this classification system, they developed an extensive benchmark suite that covers 40 different vulnerability types and includes diverse code features, vulnerability patterns, and application scenarios. Through this benchmark, they evaluated 8 SAST tools that were tested on 18,788 smart contract files and 10,394 vulnerabilities.

Among these tools, the most effective SAST tool is MetaScan, a product developed by MetaTrust Labs, which uses the SAST technology mentioned in the paper to scan for security vulnerabilities in smart contracts. MetaScan uses advanced static analysis technology (Static Analyzer) and artificial intelligence (AI) technology to provide a comprehensive security assessment for smart contracts. Static analysis technology is the cornerstone of smart contract security detection. It does not run the program itself, but only analyzes the syntax and structure of the code to discover potential security issues.

Frontier Progress in Static Analysis Tools

The paper " Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We? " explores in depth the application of static analysis engines (Static Analyzer) in software security vulnerability detection. In the paper, the role of static analysis tools (static analyzers) is to detect potential security vulnerabilities in smart contracts without running the program. These tools identify possible security issues by analyzing source code or bytecode without executing the code. This analysis method can provide immediate and comprehensive insights at the coding stage, which is especially important for immutable smart contracts.

The paper deeply analyzes 8 static application security testing (SAST) tools and reveals the limitations of existing SAST tools in detecting smart contract vulnerabilities by building an exhaustive benchmark containing 40 unique vulnerability types. Research shows that these tools can only identify about half of the baseline vulnerabilities, with a high false positive rate and an accuracy of no more than 10%. This shows that although SAST tools have achieved certain results in identifying classic vulnerabilities such as reentrancy attacks, their effectiveness still needs to be improved in the face of deeper logic-related vulnerabilities and protocol layer vulnerabilities.

MetaScan: Multi-engine, multi-dimensional security solution

As the core component of blockchain technology, smart contracts have been widely used in financial services, supply chain management, identity authentication and other fields. However, with the deepening of applications, the security issues of smart contracts have become increasingly prominent, especially in access control, arithmetic processing, cryptographic applications, transaction order dependence, reentrancy attacks and other aspects. The security vulnerabilities in these scenarios not only threaten the security of user assets, but may also affect the stability of the entire blockchain ecosystem.

MetaScan came into being in this context. It integrates a variety of security engines and provides comprehensive security detection services for smart contracts. MetaScan uses the advanced technology of the SAST tool evaluated in the article as one of its engines, which can detect multiple vulnerabilities in smart contracts; at the same time, as the core product of MetaTrust Security Platform, MetaScan uses multiple security engines to provide multi-dimensional security protection. These engines include:

• Security Analyzer for SAST:Uses static code analysis technology to detect potential security vulnerabilities in the code.

• GPTScan:Combines AI technology such as ChatGPT to detect logic vulnerabilities and adapt to various code variants.

• Code Quality:Assess code quality and identify informative and low-level vulnerabilities.

• Security Prover:Focuses on identifying vulnerabilities related to contract execution and fixed logic defects.

• Code Clone:Uses clone detection technology to prevent security risks introduced through code duplication.

• Open Source Analyzer:Performs security assessments on the use of open source libraries to ensure their safe integration in applications.

A static analyzer is a tool that analyzes source code during the compilation phase to detect potential programming errors, vulnerabilities, or other problems without actually executing the code. This tool is very useful for discovering and fixing problems in advance, especially in the development of smart contracts, because once deployed to the blockchain, the code of the smart contract becomes unchangeable.

Among them, the traditional Security Analyzer uses static code analysis technology to detect potential security vulnerabilities and ensure the security of the contract code at the basic level. GPTScan is an innovation that uses advanced artificial intelligence technology, especially language models like ChatGPT, to identify logical vulnerabilities. By simulating attack scenarios and abnormal behavior patterns, GPTScan can discover complex logical problems that traditional methods may miss, thereby broadening the breadth and depth of vulnerability detection.

MetaScan's static analyzer engine uses prompts generated by the GPT model, which are specially designed to simulate potential attack scenarios or abnormal behavior patterns. Through this hybrid approach, the engine is able to delve into code structures, identifying and exposing complex logic vulnerabilities that may be overlooked by traditional methods.

AI Integration: Fusion of Intelligent Assistance and Deep Analysis

The innovation of MetaScan lies in the deep integration of AI technology and static analysis technology. In particular, the GPTScan engine not only relies on the GPT model to identify vulnerabilities, but also uses GPT as a code understanding tool to improve the accuracy of detection by decomposing logical vulnerability types into scenarios and attributes, matching them with GPT, and then verifying them through static confirmation.

The AI assistant of the MetaScan platform can not only provide detailed descriptions and repair suggestions for detected security issues, but also interact with users on the project details page and scan results page to answer questions about vulnerabilities. This integrated AI assistance makes MetaScan not only a security tool, but also an intelligent collaborative work platform, making the security assessment process more intuitive and friendly. Through language as an interactive interface, users can easily obtain targeted security information or take corresponding remedial measures, thereby achieving seamless management of smart contract security.

MetaScan provides users with a comprehensive, intuitive and user-friendly smart contract security assessment platform by combining the latest research results and AI technology. It not only improves the efficiency and accuracy of security assessment, but also makes the security assessment process smoother through the assistance of AI, providing users with the most comprehensive security coverage. With the continuous advancement and innovation of technology, MetaScan will continue to lead the trend of smart contract security assessment and contribute to the security of the blockchain ecosystem.

Conclusion

In summary, the systematic evaluation of SAST tools in the paper Static Application Security Testing (SAST) Tools for Smart Contracts: How Far Are We? reveals the current status and challenges of smart contract security testing technology, and the MetaScan platform represents the forefront of technological innovation in this field. By combining traditional static analysis technology with the latest advances in artificial intelligence, MetaScan not only improves the accuracy and coverage of vulnerability detection, but also achieves efficient interaction with users through AI assistants, making the security assessment of smart contracts more efficient and comprehensive. With the continuous development and improvement of these technologies, the security defense line of smart contracts will be unprecedentedly strengthened, laying a solid foundation for the healthy development of the digital economy.

This article comes from a contribution and does not represent the views of BlockBeats

欢迎加入律动 BlockBeats 官方社群：

Telegram 订阅群： https://t.me/theblockbeats

Telegram 交流群： https://t.me/BlockBeats_App

Twitter 官方账号： https://twitter.com/BlockBeatsAsia